COMPUTERWORLD 


Inside 


News  Analysis 

A  cache-poisoning 
flaw  found  in  the  DNS 
protocol  puts  domain 
name  servers  at  risk 
of  attack. 

Seven  years  after  it 
began,  an  effort  to  set 
up  a  national  disease¬ 
tracking  system  still 
isn’t  finished. 

the  grill:  Simmons 
Bedding’s  CIO  touts 
the  value  of  just-in- 
time  systems  and 
standardized  IT. 

( )pinion 

Consultant,  adviser, 
outsourcer  -  the  label 
you  choose  defines  the 
relationship. 


The  economic  slow¬ 
down  begins  to  hit  the 
IT  job  market. 


on  the  mark  There’s 
a  data  deficit  where 
you’d  least  expect  it: 
in  the  CIO’s  office. 


Flight  crews  don't  have  an  office  to  check  into.  At  Continental  Airlines, 
they  have  the  Web-based  Crew  Communications  System,  where  they 
log  on,  check  schedules,  and  trade  shifts.  To  ensure  everyone  arrives 
on  time,  they  migrated  to  Windows  Server  2008.  Get  the  full  story  at 

serverunleashed.com 


jT 

1  ^ 


Windows  Server  2008 


Airlines  crew  members  are 

takeoff? 


I 


V 


Inside 


■  NEWS  DIGEST  ■  DEPARTMENTS 

B  The  Nielsen  Co,  gives  up  lax 

breaks  in  Florida  because  of  the  HbtS 


8  The  EPA  expects  to 
introduce  an  initial  Enemy 
Star  rating  for  servers 
by  year's  end.  |  Supporters 
of  Barack  Obama  use  his 
campaign's  social  net¬ 
working  site  to  protest 
his  stance  on  the  FISA  bill. 


noticed.  A  flaw  in  the  DNS  protocol 
prompts  a  synchronized  patching 
effort  by  vendors,  plus  a  chorus  of 
calls  for  users  to  install  the  fixes. 


«  On  the  Mark:  Mark  Hall 

hears  about  a  data  deficit  where 
you'd  least  expect  it  in  the  CIO's 


dozen  states  have  yet  to  install 
technology  needed  to  enable  public 
health  officials  nationwide  to  use  the 
Web  to  monitor  disease  outbreaks. 

■  OPINION 

4  Editor's  Note:  Don  Tennant 

finds  manylT  prostobeinsigtitful,but 
too  many  in  the  profession  too  easily 
find  occasion  to  slip  into  denial  mode. 

25  Michael  H.Hugoa  explains 
how  agile  analysts  hit  the  ground 

42  Paul  Olcn  has  discovered 
that  getting  value  from  outside 
advisers  has  a  lot  to  do  with 
what  you  call  them. 

48  Frankly  Speaking:  Frank 
Hayes  warns  everyone  to  fix  their 
DNS  implementations  without  delay. 


20  The  Grill:  CIOW.  Wade  Vann 

says  the  keys  to  success  for  Sim¬ 
mons  Bedding  Co.  are  ‘plain  vanilla" 
systems,  standardization  and  just- 
in-time  IT. 

38  Security  Manager's  Jour¬ 
nal:  Shoveling  Sand  Against 
the  Tide.  The  frustrations  of 
slashed  budgets  and  inadequate 
manpower  come  to  a  head.  Is  it  time 
for  a  change? 

45  Career  Watch:  Theeconomic 
slowdown  hits  IT;  and  demand  for 
SAP  skills  leads  to  a  spike  in  pay. 

47  Shark  Tank:  Users  say  their 
printer  has  a  magic  button  that  ejects 
the  paper  tray.  But 
one  day.  the  magic 


26 


■  FEATURES 

26  E-medical  Records: 
What  Seems  to  Be 
The  Problem? 

COVER  STORY:  Progress  on  electronic  health  records 
has  been  held  back  by  technical  issues,  but  the  biggest 
obstacle  may  be  a  payment  system  that  lacks  financial 
incentives  for  health  care  providers. 

35  Quality  Over  Quantity 

Johnson  &  Johnson's  approach  to  application  support 


36  Should  We 
Tell  the  Boss? 

We  asked  CIOs  to  talk  about  the 
kinds  of  messages  they  need  to 
hear  loud  and  dear  from  their 
staffers -and  the  things  they 


9 


“With  SAS*  software,  we  can  focus  on  regulatory  compliance 
today  -  while  moving  healthcare  forward  for  tomorrow.” 


Michael  C.  Helm 

Vice  President,  Infernal 


■  EDITOR’S  NOTE 

Don  Tennant 


Insight  and  Denial 


INFORMATION  TECHNOLOGY  pros  are  an  insightful 
breed.  I  know  my  fair  share  of  them,  and  I’ve  noticed 
that  a  lot  of  them  tend  to  focus  on  how  practical  infor¬ 
mation  and  lessons  learned  can  be  applied  to  their  work, 
even  when  the  lessons  come  from  outside  of  the  profession. 


An  example  presented 
itself  a  couple  of  weeks 
ago  in  an  e-mail  ex¬ 
change  with  Dale  Frantz, 
CIO  at  Auto  Warehous¬ 
ing  Co.  I’d  recounted  a 
story  about  a  mishap  I’d 
had  at  our  recent  Infra¬ 
structure  Management 
World  conference  at  the 
new  Gaylord  National 
Hotel  near  Washington. 

I  had  driven  my  be¬ 
loved  Mazda  MX-5  (the 
model  formerly  known  as 
Miata)  from  Massachu¬ 
setts,  and  I  entrusted  it  to 
the  hotel’s  parking  valets 
for  safekeeping.  On  the 
morning  I  checked  out, 

I  called  to  have  my  car 
retrieved  and  waited  at 
the  hotel’s  entrance.  And 
waited.  And  waited. 

After  about  30  minutes 
and  several  inquiries, 

I  was  finally  given  the 
apologetic  explanation 
that  the  police  had  one 
of  the  streets  blocked  off. 
Another  15  or  20  minutes 
passed,  and  a  sympathet¬ 
ic  bellman  said  there  had 
been  an  accident  near  the 
valet  lot  and  a  backlog 
was  forming  because  a 


lot  of  people  were  check¬ 
ing  out.  About  20  min¬ 
utes  later,  a  valet  who  had 
been  fetching  cars  said 
he  had  seen  the  silver 
Miata  and  there  was . . . 
um . . .  a  problem  getting 
it  out  of  the  lot.  Finally, 

I  was  approached  by  the 
head  valet  manager.  “Mr. 
Tennant,”  he  said,  “I  have 
some  bad  news.” 

There  had  been  an  ac¬ 
cident,  all  right.  It  turned 
out  that  the  young  wom¬ 
an  who  was  retrieving 
my  car  hit  another  valet 
who  had  run  out  in  front 
of  her,  then  she  swerved 
into  a  pole  and  smashed 
up  the  left  side  of  the 
car.  The  poor  guy  she  hit 
suffered  a  compound  leg 
fracture  and  was  taken 
away  in  an  ambulance, 
so  I  could  hardly  get  too 
upset  when  I  saw  the 
damage  to  my  car.  At 

■  People  in  the 
IT  industry  have 
some  strange 
habits,  Frantz  said, 
most  of  which  are 
seif-destructive. 


least  it  was  still  drivable, 
and  it  can  be  fixed.  There 
was  only  one  thing  that 
really  bothered  me.  Why 
was  I  kept  in  the  dark  for 
well  over  an  hour?  Why 
wasn’t  I  immediately 
informed?  It’s  not  like  I 
wouldn’t  eventually  find 
out,  you  know? 

I  found  Frantz’s  re¬ 
sponse  to  the  tale  very 
interesting. 

“There’s  a  career  IT 
parallel  here,”  he  wrote. 
“When  IT  projects  have 
problems,  it  seems  that 
the  ‘delay  and  cover  up’ 
is  what  happens  with 
reporting  back  to  senior 
management.  ‘Maybe  the 
CEO  won’t  notice  that 
we’re  not  delivering  this 
project  well  past  the  time 
expected,’  or  ‘Maybe  the 
CEO/CFO  won’t  notice 
the  fact  that  our  project 
has  been  in  a  wreck  and 
is  severely  damaged. 
Maybe  our  internal  cus¬ 
tomers  will  just  ignore  it 
and  go  away.’  ” 

People  in  the  IT  indus¬ 
try  have  some  strange 
habits,  Frantz  said, 
most  of  which  are  self¬ 


destructive.  I  would  add 
that  slipping  into  denial 
mode  may  be  the  most 
destructive  of  all. 

You  may  recall  from 
our  reporting  that 
Frantz  has  embarked 
on  a  pioneering  project 
to  migrate  his  formerly 
all-Microsoft  IT  shop 
at  AWC  to  the  Mac.  He 
mentioned  in  our  e-mail 
exchange  that  the  conver¬ 
sion,  which  began  about 
a  year  ago,  is  ahead  of 
schedule  and  has  already 
saved  him  nearly  $1  mil¬ 
lion  in  license  fees. 

Yet  there  is  still  wide¬ 
spread  denial  among  IT 
pros  that  Apple  in  the 
enterprise  is  anything  but 
a  “novelty”  or  that  it’s  a 
viable  Microsoft  alterna¬ 
tive  (check  out  the  reader 
comments  to  our  story 
“Study:  8  in  10  Businesses 
Now  Using  Macs,”  posted 
on  our  Web  site  on  June  26). 

Meanwhile,  Frantz  says 
AWC  is  “thriving  during 
these  bleak  economic 
times,”  due  in  no  small 
part  to  his  switch  to  Macs. 
That’s  something  that  all 
those  IT  pros  who  think 
their  CEOs  won’t  notice 
the  Microsoft  money  pit 
might  want  to  consider.  ■ 
Don  Tennant  is  editorial 
director  of  Computerworld 
and  InfoWorld.  Contact 
him  at  don_tennant@ 
computerworld.com, 
and  visit  his  blog  at  http:// 
blogs.computerworld.com/ 


I  JULY  14 


R 

lews 

test 

THE  WEEK  AHEAD 

TUESDAY:  Oracle  is  due  to  release  45  software  patches  as 
part  of  its  latest  quarterly  batch  of  security  fixes. 

TUESDAY:  The  Senate  Judiciary  Committee's  antitrust 
subcommittee  plans  to  hold  a  hearing  on  the  search-results 
advertising  deal  signed  by  Google  and  Yahoo  last  month. 

THURSDAY:  Microsoft  and  Google  are  both  scheduled  to 
report  their  latest  financial  results.  Chip  rivals  Intel  and  AMD 
also  plan  to  Ale  earnings  reports  this  week. 

Replaces 

now  expects  to  have  about 
1,300  employees  at  the  facil¬ 
ity  by  year’s  end,  plus  250  or 
so  contract  workers. 

Gary  Holmes,  a  spokes¬ 
man  for  Nielsen,  said  the 
company  decided  to  pull  out 
of  the  tax-break  program 
after  members  of  the  Olds- 
mar  city  council  expressed 
“second  thoughts  about  the 
agreement”  because  of  the 
layoffs.  “It  became  kind  of 
an  emotional  issue,”  he  said. 


from  the  state  under  an  in¬ 
centive  program  that  has  e: 
pired.  The  local  incentives, 
though,  were  scheduled  to 


mar,  Fla.  pired.  The  local  incentives.  Despite  the  layoffs,  the  in- 

Nielsea  which  is  best  though,  were  scheduled  to  centive  deal  “did  everything 

known  for  measuring  TV  au-  continue  until  2016.  it  was  intended  to  do,”  said 

diences,  began  getting  the  tax  But  then  last  October,  Mike  Meidel,  director  of 

breaks  after  agreeing  to  build  Nielsen  announced  a  10-  Pinellas  County  Economic 

the  $100  million  facility  in  year,  $1.2  billion  outsourcing  Development.  Nielsen  could 

Oldsmar,  west  of  Tampa.  The  agreement  with  India-based  have  built  its  technology 

1 - “* - Jto  Tata  Consultancy  Services  center  somewhere  else, 


ousted  CEO  Diane  Greene 
and  replaced  her  with 
Paul  Maritz,  a  former  top 

Corp..  which  is  posing  a 
new  challenge  to  VMware's 
dominance  of  the  server 

VMware  also  warned 
that  its  revenue  will  likely 
be  "modestly  below”  ex¬ 
pectations  this  year.  But  a 
spokesman  for  EMC  Corp.. 
the  virtualization  vendor's 
majority  o» 


Greene  co-founded  VMware 
in  1998  and  had  run  it  since 
then.  But  Gartner  Inc.  ana¬ 
lyst  Thomas  Bittman  said  that 
with  Microsoft  now  pushing 
its  Hyper-V  software,  “it's 
going  to  be  a  very  different 
market”  for  VMware. 

-LUCAS  MEARIAN.  WITH 
SERVICE 


UPTIME  COMES  STANDARD,  xeon 


Powerful. 

Efficient. 


IBM  System  x3550"'  Express.  Its  designed  to  stay  up  and 
running  and  help  reduce  system  downtime.  In  fact,  it  can 
even  identify  a  potential  problem  before  it  becomes  one. 

And  if  you  ever  have  to  replace  a  component,  you  can  do 
that  without  having  to  shut  down.  Just  one  more  way  the 
x3550  Express  keeps  downtime  down. 

PN:  7978EJU 

Featuring  up  to  two  Quad-Core  Intel'  Xeon'  Proces 
Hot-swap  redundant  cooling  tor  high  availability 

From  the  people  and  Business  Partners  of  IBM. 

It’s  innovation  made  easy. 

Includes  IBM  Director  and  PowerExecutive  to  help  t 
consumption,  increase  uptime,  reduce  costs  and  irr 
3-year  on-site  limited  warranty’  on  parts  and  labor 

IBM  SYSTEM  STORAGE™ 

DS3400  EXPRESS  KIT  _ 

IBM  TIVOLI'  CONTINUOUS  DATA  PROTECTION  F 

$42  per  user 

PN:  1726-42U 

PN:  D613ALL 

1  COMPLIMENTARY  SYSTEMS  ADVISOR  TOOL 

=  =  ==  express 

I  Want  lo  find  the  right  server  or  storage  system  tor  you? 

1  Oui  Systems  Advisor  Tool  can  help.  Just  give  the  tool  a  little  I 

==F=T=  advantage 

1  input,  and  it  will  identify  products  that  can  help  meet  your 

ibm.  com/systems/uptime 

business  needs  Get  started  now  at  lbm.com/systems/uptime  1 

1  866-872-3902  (mention  6N8AH04A)  ( 

■  NEWS  DIGEST 


BETWEEN  THE  LINES 


By  John 


IT  Group  Claims  Former 
Official  Used  Pseudonym 
To  Discredit  It  in  Blogs 

THE  U.S.  chapter  of  the  i  director,  are  one  and  the 
IT  Service  Manage-  same.  The  lawsuit,  filed  last 

ment  Forum  has  filed  a  month  in  a  California  state 


i iSte 


com  bust's  business  fail¬ 
ures.  online  grocer  Webvan 
Group  Inc.  shut  down  and 
said  it  would  hie  for  Chapter 
II  bankruptcy  protection. 


outcome  of  the  election,  ac¬ 
cording  to  ITSMF  officials. 

Now  the  group,  which 
promotes  the  use  of  stan¬ 
dards  such  as  the  Informa¬ 
tion  Technology  Infrastruc¬ 
ture  Library,  is  claiming  that 


Global 

Dispatches 

ITTheftsStop 
Online  Presses 

LONDON-  The  financial  Times 


The  online  shopping  site  of 
grocer  J  Sainsbury  PLC  was 
also  affected  by  the  theft  at 
the  facility  in  Watford,  north 
of  London.  The  thieves  took 


believe  they  were  seeking 
scrap  metal,  not  IT  gear  per  se. 

The  theft  forced  the  finan¬ 
cial  Times  to  run  Its  FT.com 
site  from  a  backup  facWty  in 


a^CaM&  Wirefe^wouMn't 


Yahoo  Alerts  EC 
To  Google  Deal 


the  EC  ( 


Are  you  controlling  your  servers,  or  are  they  controlling  you? 
It's  time  for  virtualization  from  CDW. 


& 


m 


We're  there  with  the  server  virtualization  solutions  you  need. 

It's  time  to  end  the  server  sprawl.  CDW  can  help  you  run  all  your  operating  systems  and  applications  from  a 
single  virtual  server.  Not  only  does  that  free  up  space  and  lower  costs,  it  also  reduces  IT  management  Our 
technology  specialists  can  recommend  the  right  virtualization  solution  for  your  business.  And  our  custom 
configuration  services  will  set  up  your  technology  lo  your  specifications.  So  call  CDW  today,  and  finally  put 

CDW.com  |  800.399.4CDW 


The  Right  Technology.  Right  Away. 


DNS  implemen- 
oped  by  Internet 


DNS  Hole 
Doesn’t  Go 
Unnoticed 

A  flaw  in  the  DNS  protocol 
didn’t  merit  Microsoft’s 
highest  severity  rating.  But 
it’s  certainly  getting  a  lot  of 
attention.  By  Jaikumar  Vijayan 


A  SOFTWARE  PATCH 
released  by  Micro¬ 
soft  Corp.  to  plug  a 
hole  in  the  Domain 
Name  System  protocol  was 
just  one  of  nine  security 
fixes  the  company  issued 
last  week.  And  like  the  oth¬ 
ers,  the  DNS  patch  got  only 
an  “important”  severity  rat¬ 
ing,  one  step  below  Micro¬ 
soft's  top  rating  of  “critical.” 
But  that  belies  the  amount 


of  attention  that  the  DNS 
vulnerability  is  attracting. 
The  discovery  of  the  cache¬ 
poisoning  flaw  earlier  this 
year  prompted  a  rare  syn¬ 
chronized  patching  effort 
involving  Microsoft,  Cisco 
Systems  Inc.  and  other  ven¬ 
dors.  And  the  disclosure  of 
the  vulnerability  last  week 
was  accompanied  by  a  cho¬ 
rus  of  calls  for  IT  managers 
to  patch  or  upgrade  their 


12  COMPUTERWORLD  IULY1 


«,  2008 


tris,  who  is  chairman  and 
chief  scientist  at  Nominum 
Inc.  —  a  name  server  vendor 
that  was  among  the  compa¬ 
nies  issuing  fixes  for  the  flaw. 

The  urgency  is  being 
fueled  by  the  fact  that  the 
vulnerability  is  a  fundamen¬ 
tal  design  flaw  in  the  DNS 
protocol.  In  addition,  Dan 
Kaminsky,  the  researcher 
at  security  services  firm 
IOActive  Inc.  who  found  the 
cache-poisoning  problem, 
plans  to  detail  it  at  the  Black 
Hat  USA  2008  security  con¬ 
ference  next  month. 

David  Jordan,  chief  in¬ 
formation  security  officer 
for  the  Arlington  County 
government  in  Virginia, 
wouldn't  specify  what  mea¬ 
sures  the  county  took  after 
learning  of  the  DNS  flaw 
from  an  alert  issued  by  the 
U.S.  Computer  Emergency 
Readiness  Team.  But  he  said 
that  patches  deemed  to  be 
critical  get  treated  as  such 
by  the  county's  IT  staff. 

“They  go  to  the  front  of 
the  queue,”  Jordan  said, 
adding  that  the  county  “sig¬ 
nificantly”  increases  its  net¬ 
work  monitoring  until  such 
patches  are  put  in  place. 

Kaminsky  said  that  vir¬ 
tually  every  domain  name 
server  resolving  IP  addresses 
on  the  Internet  is  vulnerable 
to  the  DNS  flaw,  which  could 
enable  attackers  to  redirect 
Web  traffic  and  e-mails  to 
systems  they  control. 

The  US-CERT  advisory 
listed  more  than  80  vendors 
whose  products  might  be 
affected.  A  few  have  since 
reported  that  their  software 


Systems  Consortium  Inc. 
ISC  released  patches  for  sev¬ 
eral  versions  of  BIND  and 
urged  users  of  older  releases 
to  upgrade  their  systems. 

The  type  of  flaw  Kamin¬ 
sky  found  isn’t  new;  several 
other  security  researchers 
had  previously  discovered 
similar  cache-poisoning  vul¬ 
nerabilities  in  the  DNS,  ac¬ 
cording  to  the  US-CERT  ad¬ 
visory.  Attackers  can  exploit 
such  flaws  to  determine 
the  numerical  identifiers 
randomly  assigned  to  DNS 
packets;  doing  so  gives  them 
a  chance  to  inject  forged 
code  and  spoof  DNS  traffic. 

But  the  new  vulnerability 
Kaminsky  found  is  so  seri¬ 
ous  because  it  appears  to 
offer  a  far  more  effective 
means  of  guessing  packet 
identifiers  than  any  flaws 
found  earlier.  “Someone 
using  this  technique  can 
poison  a  caching  server  in 
about  10  to  20  minutes," 
Mockapetris  said. 

Joao  Damas,  a  senior  pro¬ 
gram  manager  at  ISC,  said 
the  patches  that  vendors 
are  issuing  are  designed 
to  add  more  randomness 
to  the  process  of  assigning 
the  identifiers  to  packets, 
in  order  to  make  it  harder 
to  guess  the  numbers.  “In¬ 
creasing  forgery  resilience 
is  the  way  we  are  trying  to 
do  this,”  Damas  said. 

The  patches  are  also  be¬ 
ing  crafted  to  minimize  the 
chances  that  attackers  could 
reverse-engineer  them,  Ka¬ 
minsky  said.  But  he  predict¬ 
ed  that  exploits  of  the  flaw 
will  still  be  developed.  ■ 


y  W 


■  NEWS  ANALYSIS 


Seven  Years 

And  Counting: 
National  Disease- 
Tracking  System 
Still  Unfinished 

A  dozen  states  have  yet  to 
install  technology  needed  to 
enable  public  health  officials 
to  monitor  disease  outbreaks 
via  the  Web.  By  Todd  R.  Weiss 

■«r  y  OU  MIGHT  CDC  launched  the  initiative, 

,  think  that  in  though,  the  National  Elec- 

the  event  of  a  tronic  Disease  Surveillance 
major  epidemic  System  has  yet  to  be  com- 
across  the  U.S.,  pleted.  At  this  point,  only  38 
public  health  officials  at  the  of  the  50  states,  plus  the  Dis- 
federal,  state  and  local  levels  trict  of  Columbia,  are  fully 
could  track  the  outbreak  compliant  with  the  technical 

electronically,  using  real-  requirements  of  NEDSS. 

time  data  to  try  to  control  As  a  result,  the  data  be- 

the  spread  of  the  disease.  ing  input  into  the  fledgling 


spread  of  diseases.  Utah  have  yet  to  comply 

The  slow  progress  on  with  any  of  the  require- 

NEDSS  is  forcing  health  ments  (see  map,  next  page), 
agencies  to  continue  rely-  One  of  the  major  causes 

ing  on  an  existing  system  in  of  the  delays  in  completing 
which  disease  reports  are  NEDSS  has  been  a  shortage 
manually  entered  into  state-  of  federal  funding  for  the 
level  databases  and  then  project  The  CDC  has  been 
transmitted  to  the  CDC  on  a  receiving  just  $24.7  million 
weekly  basis.  annually  for  NEDSS,  much 

For  many  health  officials,  of  which  the  agency  passes 

the  continuing  inability  to  on  to  the  states.  A  bill  before 
track  outbreaks  in  teal  time  Congress  would  provide 
is  a  source  of  both  frustra-  $2.5  billion  over  five  years 

tion  and  public-safety  con-  to  complete  the  system 

cems.  and  pay  for  new  hardware 

“As  a  nation,  we  should  be  needed  to  make  it  more 
astounded  that  this  capacity  functional,  but  no  action  has 
doesn’t  exist,”  said  Dr.  Scott  been  taken  on  that  measure. 
McNabb,  an  epidemiolo-  Also,  even  CDC  officials 

gist  who  heads  the  NEDSS  acknowledge  that  NEDSS 
program  in  his  job  as  direc-  requires  a  major  effort  on 

tor  of  the  CDC's  Division  the  part  of  the  states,  partly 

of  Integrated  Surveillance  because  it  involves  more 
Systems  and  Services.  “It  complex  data  than  they  had 
should  be  a  call  for  action.”  to  work  with  in  the  past. 

McNabb  described  the  ca-  Before,  infectious  disease 
pabilities  of  NEDSS  as  “ab-  cases  were  reported  individ- 
solutely  mission-critical"  for  ually  and  didn’t  automatical- 
health  officials.  “With  dis-  ly  get  grouped  in  a  database, 

ease  outbreaks,  if  local  and  With  NEDSS,  states  will 
state  health  departments  combine  their  reports  into 
are  able  to  identify  them  integrated  data  repositories, 
quicker,  then  we  are  able  giving  users  a  fuller  picture 
to  prevent  future  cases,”  he  of  what  is  happening  region- 
said.  “But  if  we  don’t  iden-  ally  and  nationally  —  but 

tify  cases  in  a  timely  way,  also  imposing  new  data- 


OntheMarkl 

HOT  TRENDS  ■  HEW  PRODUCT  NEWS  ■  INDUSTRY  BUZZ  BY  MARK  HALL 


End  IT’s  Data  Deficit 

IT’S  HARD  TO  IMAGINE  a  data  deficit  in  the  CIO’s  office,  given 
the  reams  of  reports  spewing  out  of  IT.  But  Ray  Homan  argues 
that  there  is  one. 

Homan  is  the  CEO  of  BDNA  Corp.  in  Mountain  View,  Calif, 
which  supplies  —  you  guessed  it  —  more  information  to  IT.  But 
this  might  be  just  the  data  you’ve  been  missing. 


you  interesting  tidbits  —  for  example, 
the  date  when  a  vendor  plans  to  cease 
supporting  a  critical  application’s  un¬ 
derlying  operating  system,  or  which 
systems  encrypt  data  at  rest. 

What's  more,  Homan  claims,  after 


Collaborate  on  Services 

If  you’re  following  a  service-oriented 


you  a  single,  pathet-  I  fcO  /  UT  I 
ic  vowel,  the  L  I  Percentage  ol 
The  IBM  i. 

Letters  aren’t  all  I  retire  by  2011, 
the  i  is  losing.  Da-  |_says  Qartner  Inc 
vid  Leichner,  chief 
marketing  officer  at  BluePhoenix  So¬ 
lutions  in  Cary,  N.C.,  says  the  legacy 
technology  is  losing  market  share, 
even  among  supporters.  A  survey 
last  month  of  the  membership  of 
Common,  the  largest  user  group  for  i 
technology,  showed  that  a  mere  23% 
planned  to  move  to  the  latest  Power 
Systems  hardware  to  run  the  i  OS. 

Leichner  says  the  most  active  part 
of  his  company's  legacy-migration 
business  is  moving  old  RPG-based  i 
stuff  to  .Net  or  Java  just  because  it’s 
too  risky  to  keep  alive. 


SunGard  Availability  Services  help  your  business  move  forward  with 
the  most  advanced  and  widest  choice  of  information  availability  options 
in  the  industry 


From  virtualization  to  hot  sites  to  replication  and  vaulting — SunGard  Availability  Services 
does  it  all.  And  it's  all  we  do.  That  kind  of  focus  helps  ensure  high  availability  of  data, 
applications  and  systems  and  fits  your  needs  and  budget  precisely. 

When  we  partner  with  you,  you  worry  less  about  the  road  ahead.  Heres  why: 
a  track  record  of  100%  successful  recoveries;  over  60  facilities  with  redundant 
power  connected  to  SunGard’s  secure  global  network;  and  more  than  20,000  end- 
user  positions  in  facilities  across  North  America  and  Europe.  SunGard  Availability 
Services— the  information  availability  solution  for  businesses  that  must  run  non-stop. 
Keep  moving,  call  1  -800-468-7483  or  visit  www.availability.sungard.com. 

SUNGARD*  I  IssSEn 

Availability  Services  Connected ? 


W.  Wade  Vann 

The  Simmons  Bedding  CIO  talks 
about  ‘plain  vanilla’  systems, 
standardization  and  just-in-time  IT. 


simple  and  that,  for  the  most  part, 
we’re  doing  the  same  operations  at 
each  of  our  manufacturing  plants.  We 
don’t  have  a  diverse  number  of  product 
lines,  or  even  customers.  We  have  less 
than  3,500  customers  across  the  Unit¬ 
ed  States.  A  low  number  of  customers 
and  a  low  number  of  SKUs  really  helps 
us  to  keep  things  as  simple  as  possible. 

Is  there  a  lot  to  kaep  track  of  for  a  balding 
company?  We  have  all  the  financials 
—  accounts  payable,  general  ledger, 
accounts  receivable,  fixed  assets. 

Continued  on  page  24 


Speed  up  Your  Systems  in  Real  Time 

The  8  Essential  Benefits  of  Automatic  Defragmentation 

^fragmentation  is  unavoid-  most  of  my  MFTs  needed  adjust- 

|b  able  U  wreaks  havoc  on  The  8  Essential  Benefits  that  D  is  keeper  Provides  ment  Now  that  this  function  is 


5.  SAVES  MONEY  AND  TIME 

"Prior  to  installing  Diskeeper,  we 
were  manually  defragmenting. 
Some  of  the  drives  would  take 
hours  to  defrag  and  within  a  few 
days  we  would  need  to  defrag 
again  Installing  Diskeeper 
basically  paid  for  itself  within 
a  month  by  reducing  off-hour 
salaries.  Also  the  defragmented 


We  asked  254  of  our  customers 
what  were  the  essential  benefits 
of  using  Diskeeper.  This  is  whaf 


Speed  Up  Virus  Sens  and  Boot  Ups 


had  a  failing  drive  in  a  RAID  ,n3nks  to  3,1  our  cust°'mOT  Pupated.  ed  RA1D  - 

5  array  and  when  we  replaced 

that  drive,  performance  improved  by  300%.  And  then  when  7.  EXTREME  CONDITION  DEFRAGMENTATION 
I  ran  Diskeeper  for  a  week,  again  it  improved  over  300%.  A  “One  day  our  SQL  Server  came  to  a  halt.  I  did  everything:  ran 

disk  intensive  process  that  was  taking  1.5  hours  is  now  taking  spyware  software,  deleted  numerous  TMP  files,  ran  Windows® 

15  minutes.”  update,  etc.  But  nothing  got  the  server  to  run.  Then  I  installed 

and  ran  Diskeeper;  1  found  that  the  hard  drive  was  horribly 

2.  RELIABILITY  RESTORED  fragmented.  But  after  Diskeeper  finished  defragging  the  system. 

“We  use  Microsoft®  SQL  Server®.  We  were  receiving  hundreds  the  server  came  up." 
of  messages  per  day  in  the  log  like  this  one:  SQL  Server  has 

encountered  21  occurrence^)  of  VO  requests  taking  longer  than  8.  ELIMINATE  COSTLY  HARDWARE  UPGRADES 

15  seconds  to  complete  on  file  |E:\mssql\data\. .  J  “We  were  looking  at  having  to  replace  or  upgrade  some  of 

“We  researched  this  error  and  found  that  it  is  usually  caused  the  servers  because  they  were  so  slow.  Since  the  Diskeeper 
by  badly  fragmented  hard  drives.  While  our  drives  are  part  of  install,  they  are  performing  well  enough  that  we  are  no  longer 


“The  server  automatically  defragments  only  when  there  are  idle 
resources.  No  more  worrying  about  when  I  can  schedule  defrag¬ 
mentation,  no  more  worrying  about  if  the  defragmentation  will 
:ause  performance  issues.  InvisiTasking”  has  worked  great  for  us 
m  everything  from  file  and  prim  servers  to  SQL  servers." 

».  DEFENDS  CRITICAL  SYSTEM  FILES  FROM  FRAGMENTATION 

“1  have  been  using  Diskeeper  at  my  office  on  the  63  workstations 
ind  4  servers  over  the  last  year.  The  addition  of  Frag  Shield”  2.0 
iliminates  the  task  of  manually  changing  the  MFT.  In  the  past 


Try  if  FREE  n-teeSSgS 
for  45  days!  £5£?9i£!22£® 

Go  to  www.diskeeper.com/cwtrial 

(Note:  Spedai  45-day  trialware  is  only  available  at  the  above  Ink) 


Your  potential.  Our  passion 

Microsoft 


/ 

MICROSOFT  SYSTEM  CENTER.  DESIGNED  FOR  BIG. 

V 


System  Center 


■  THE  GRILL  W.  WADE  VANN 


usad  at  Simmons  as  “plain  vanilla.'  Can  which  piece  they're  producing  so  we 

everything  you  need  to  do  really  be  done  can  keep  track  of  each  individual's  pro- 
with  essentially  off-the-shelf  software?  ductivity  in  a  real-time  environment. 
Let’s  make  sure  you’re  not  misunder¬ 
standing  me.  For  J.D.  Edwards,  our  How  does  the  just-in-time  nature  of  your 
Continuedfrom  page  20  ERP  system,  we  have  customized  the  business  affect  IT?  Everything  is  just  in 

Then,  on  the  manufacturing  side,  software.  We  went  through  a  detailed  time.  The  raw  materials  come  in  just 

we  have  order  processing  systems,  review  of  all  the  functional  require-  in  time,  our  trailers  are  shipped  just  in 

manufacturing  scheduling  systems,  ments,  and  we  have  had  to  make  some  time,  the  manufacturing  process  has 

transportation  scheduling  systems.  changes  to  the  software,  more  so  than  to  happen  exactly  as  scheduled  to  meet 

Then,  down  on  the  shop  floor,  we  have  we  even  wanted  to.  But  we  have  re-  the  delivery  window.  So  the  system  has 

production-tracking  and  time-and-  duced  those  needed  changes  by  at  least  to  run  very  smoothly  all  the  time, 

attendance  systems.  It’s  all  centralized  65%  [since]  1995.  And  that’s  driven  by  If  you  go  into  a  retail  store  and  you 


Michael  H.  Hugos 

How  Apile  Analysts 
Get  Things  Done 


HERE’S  A  SITUATION  to  ponder.  Let’s  say  one  of 
your  company’s  divisions  has  hit  on  a  great  new 
business  model  that’s  impressing  even  the  ac¬ 
countants.  Headquarters  decides  this  business 
needs  to  be  scaled  up  and  rolled  out  nationally  —  fast. 


systems  to  manage  the 
data  and  perform  the  tasks 
in  the  process  flows.  I'd 
schedule  phone  calls  for 
reviews  and  corrections. 
Since  such  documents  are 
graphic  and  easy  to  un¬ 
derstand,  even  the  busiest 
people  would  be  willing 
to  take  the  time  to  look  at 
them. 

I’d  ask  for  two  other 
documents  from  the 
division’s  IT  people; 
technical  architecture 
diagrams  of  their  systems, 
and  schemas  of  the  system 


WHAT 


OMPUTERWORLD 


THERE  ARE  LOTS  OF  CHALLENGES, 

BUT  FINANCIAL  DISINCENTIVES  MAY  BE 
THE  BIGGEST.  BY  ROBERT  L.  MITCHELL 


I 


T’S  BEEN  ABOUT  THREE  YEARS 
since  San  Diego’s  five  major  hospitals 
first  convened  to  discuss  sharing  elec¬ 
tronic  medical  record  data  in  an  effort 
to  improve  diagnoses,  reduce  errors  and 
improve  the  quality  of  patient  care.  The 
group  held  several  meetings  and  entered 
discussions  with  a  vendor  as  a  possible 
corporate  sponsor  —  and  that  was  that. 


Electronic  medical  record  (EMR): 


Electronic  health  record  (EHR): 


Personal  health  record  (PHR): 


THERE  ARE  LOTS  OF  CHALLENGES, 

BUT  FINANCIAL  DISINCENTIVES  MAY  BE 
THE  BIGGEST. 


1 


T’S  BEEN  ABOUT  THREE  YEARS 
since  San  Diego’s  five  major  hospitals 
first  convened  to  discuss  sharing  elec¬ 
tronic  medical  record  data  in  an  effort 
to  improve  diagnoses,  reduce  errors  and 
improve  the  quality  of  patient  care.  The 
group  held  several  meetings  and  entered 
discussions  with  a  vendor  as  a  possible 
corporate  sponsor  —  and  that  was  that. 


WHAT’S  IN 
A  RECORD? 


related  information  on  an  individual 
that  can  be  created,  gathered, 
managed  and  consulted  by  autho¬ 
rized  clinicians  and  staffers  within 
one  health  care  organization. 


"Il  really  didn't  go  anywhere, 
says  Ur.  loshua  Lee.  medical  di- 

the  University  of  California.  San 
Diego.  Medical  Center,  one  of  the 
participants  in  the  KMR  discus- 


have  had  a  clear  public  health 
benefit,  it  was  not  in  each  hos¬ 
pital's  economic  self-interest  to 
pursue  it.  "The  financial  and  over¬ 
sight  responsibility  would  fall  on 
the  medical  centers,  even  though 
it's  a  very  intangible  benefit  to  the 
medic.il  centers."  says  Lee. 

Today,  if  a  child  who  is  a  UCSD 


patient  at  the  pediatric  clinic 
at  7010  Frost  St.  in  San  Diego  is 
admitted  to  the  emergency  room 
at  Sharp  Memorial  Hospital  at 
7001  Frost  St.,  the  only  way  the 
KR  doctor  can  view  that  child's 
know  n  medical  problems,  al¬ 
lergies,  prescriptions  and  other 
health  data  is  by  calling  UCSD 
Healthcare,  making  a  records 
request,  and  waiting  for  the  infor¬ 
mation  to  be  printed  and  either 
faxed  or  physically  delivered  on 
paper.  Conversely,  any  treatments 

Continued  on  page  30 


An  electronic  record  of  health- 
related  information  on  an  individual 
that  conforms  to  nationally  reeog- 

that  can  be  created,  managed  and 
consulted  by  authorized  clinicians 
and  staff  across  more  than  one 
health  care  organization. 


An  electronic  record  of  haalth- 

nized  interoperability  standards  and 
that  can  be  drawn  from  multiple 
sources  while  being  managed,  shared 
and  controlled  by  the  individual. 


any  VA  hospital  in  the  country,  as  well  as 

M  Doctors  are  not 
going  to  do  this  on 
their  own.  Hospitals  have 
to  pay  for  them  to  acquire 
it,  and  payers  have  to 
provide  incentives  for 
them  to  use  it. 

JOHN  HALAMKA.  CIO. 

HARVARD  MEDICAL  SCHOOL  AND 
BETH  ISRAEL  DEACONESS  MEDICAL  CENTER 


tices.  By  using  a  software-as-a-service 
model  for  delivering  EUR  systems,  those 
practices  can  reduce  upfront  hard¬ 
ware  costs.  “Software  as  a  service  is 
cheaper  because  of  economies  of  scale 
achieved  through  central  hosting  and 
procurement,”  Halamka  says. 

But  although  Beth  Israel  Deaconess 
has  made  it  a  policy  to  offer  EHRs  to 
nonemployee  doctors,  many  hospitals, 
faced  with  tight  budgets,  are  unlikely 
to  fond  such  programs  without  an  eco- 
Continued  on  page  34 

JULY  14. 2008  COMPIITCItWMtLO  31 


COVER  STORY 


PERSONAL  E-HEALTH  RECORDS 
MAY  GIVE  AUTOMATION  A  PUSH 


Microsoft.  Google  and  Dossia  are  all 
developing  Web  sites  where  individuals 
can  aggregate  personal  health  records 
from  a  variety  of  sources.  The  data  in  a 
PHR  can  be  formatted  to  fit  onto  a  US8 
drive  or  DVD-ROM  that  the  user  can  eas¬ 
ily  carry.  In  an  emergency,  a  PHR  could 
provide  a  doctor  with  basic  information 
about  a  patient,  such  as  his  allergies  or 
prescriptions.  But  doctors  say  it  is  no 
substitute  for  a  more  detailed,  institu- 


Providers  may  “dumb  down"  summary 
data  for  a  PHR,  and  users  can  add  or  delete 
information.  “That  may  shoot  it  down  with 
physicians."  says  John  Quinn,  chief  tech¬ 
nology  officer  at  standards  group  HL7. 

Dossia  will  release  its  PHR  to  7  million 
employees  of  Wal-Mart  Stores  Inc.  and 
several  other  founding  companies  this 
year;  Microsoft’s  Health  Vault  is  already 


But  will  people  use  them?  John  Halamka, 
CIO  at  Harvard  Medical  School  and  Beth 
Israel  Deaconess  Medical  Center  in  Bos¬ 
ton.  thinks  that  about  20%  of  users  will 
find  creating  a  PHR  to  be  worthwhile.  And 
those  early  adopters  may  start  demanding 
that  providers  maintain  health  care 
records  in  electronic  form.  “Some  good 
use  cases  will  start  forcing  labs,  clinics 
and  hospitals  to  start  producing  clinical 
summaries  in  the  national  format,"  Halam¬ 
ka  says.  In  that  way,  PHRs  could  prompt 
providers  to  finally  get  their  own,  internal 
electronic  records  systems  in  order. 

-  ROBERT  L.  MITCHELL 


that  have  their  own  EMR  systems. 

Ultimately,  technology  isn’t  the 
problem.  Granted,  the  health  care 
industry  has  been  held  back  by  loose 
and  overlapping  technical  standards 
and  by  poor  interoperability  among 
the  different  types  of  health  infor¬ 
mation  systems  sold  by  hundreds  of 
vendors.  But  the  biggest  obstacle  may 
be  a  payment  model  that  offers  little 
financial  incentive  for  most  health  care 


MWe  have  had  the 
technology  to  do 
this  for  30  years. 


records  internally,  let  alone  share  them 
with  other  providers. 

Electronic  records  systems  do  yield 
some  savings,  particularly  in  the  area 
of  filing,  but  the  savings  often  aren't 
enough  to  justify  the  cost  —  especially 
for  single-physician  and  small  group 
practices,  which  make  up  more  than  half 
of  the  health  care  services  in  the  U.S. 

Even  in  Indianapolis,  there  is  no  vi¬ 
able  long-term  business  model  for  the 
health  information  exchange,  and  not 
all  members  have  their  own  EMR  sys¬ 
tems.  “We  are  largely  grant-funded," 
Grannis  says.  Once  those  grants  come 
to  an  end,  other  revenue  sources  must 
be  found  to  sustain  the  programs. 


prevention  of  adverse  reactions  to 
drugs.  But  while  providers  recognize 
the  benefits,  they  aren't  rewarded  for 
improved  patient  care  and  safety,  says 
John  Quinn,  chief  technology  officer  at 
Health  Level  Seven  Inc.  (HL7),  a  health 
data  standards  development  organiza¬ 
tion  in  Ann  Arbor,  Mich. 

A  recent  study  on  the  value  of  com¬ 
puterized  order-entry  systems  for 
clinical  use  found  that  only  U0n  of  the 
return  on  that  investment  goes  to  the 
provider.  Most  of  the  rest  benefits  the 
payer,  says  study  co-author  Blackford 
Middleton,  who  is  corporate  director 
of  clinical  informatics  research  and  de¬ 
velopment.  and  chairman  of  the  Center 
for  IT  Leadership  at  Partners  Health- 
Care  System  Inc.  in  Boston. 

“We’re  not  reimbursed  for  using 
better  systems  to  take  better  care  of 
patients,  says  Mark  Leavitt,  chairman 
of  the  Certification  Commission  for 
Healthcare  Information  Technology. 
Ironically,  the  financial  systems  are 


THE  BUSINESS  PROBLEM 

lust  getting  health  care  providers 
to  migrate  from  paper  to  electronic 

"The  provider  bears  the  cost,  but 
most  of  the  benefits  accrue  to  other 
parties,”  mainly  "payers"  —  insurance 
companies  —  and  patients  who  reap 
the  benefits  of  higher-quality  care,  says 
John  Halamka,  CIO  at  Harvard  Medi¬ 
cal  School  and  Beth  Israel  Deaconess 
Medical  Center  in  Boston  and  a  Com- 
puterumrld  columnist. 

Among  the  benefits  for  patients  is 


darn  sure  those  work,  because  if  you 
don't  send  [insurance  reimbursement 
information]  in  the  right  formal,  you 
don’t  get  paid,"  he  says. 

Historically,  the  adoption  of  com¬ 
puters  in  health  care  has  been  driven 
by  the  need  to  bill  for  services.  That 
hasn't  changed,  Leavitt  says. 

The  same  problem  arises  with  re¬ 
gional  health  information  exchanges, 
such  as  the  one  briefly  considered  in 
San  Diego.  “If  I  send  electronic  infor¬ 
mation  to  Sharp  [Memorial  Hospital],  1 
don’t  really  benefit.  It  costs  money  to  do 


this,  and  it  doesn't  really  help  our  mar¬ 
gin.”  says  Lee.  "It's  good  for  patients, 
but  it's  almost  an  unfunded  mandate." 

On  the  other  hand,  says  Leavitt,  “if 
you're  not  able  to  eover  the  last  mile  and 
get  that  record  to  the  other  institution,  it 
won't  affect  your  reimbursement  at  all." 

Shared  EHRs  can  help  providers 
avoid  duplicating  tests.  But  providers 
are  compensated  for  procedures  given, 
not  those  avoided.  “The  cost  to  the 
payer  is  diminished,  but  so  is  the  re¬ 
imbursement  to  the  radiology  depart¬ 
ment  and  the  radiologist.”  says  HL7 
CEO  Charles  |affe. 


tion  of  care,  a  clinical  summary  will 
be  pushed  to  the  next  caregiver.”  says 
Halamka.  Today,  that  information  is 
still  printed  and  forwarded  on  paper. 

If  the  patient  is  lucky,  his  new  provider 
may  scan  the  paper  records  into  its  own 
system,  where  they  will  be  available  as 
viewable  but  nonsearchable  image  tiles. 

Robert  Smith  is  associate  chief  of 
staff  for  health  care  analysis  at  the 
Veterans  Administration  San  Diego 
Health  Care  System,  which  also  partic¬ 
ipated  in  the  regional  exchange  discus¬ 
sions.  He  thinks  that  the  advantages 
in  quality  of  health  care  and  patient 
safety  are  "worth  every  cent." 

The  VA  has  developed  its  own  EMU 
system  and  can  share  patient  data  with 
any  VA  hospital  in  the  country,  as  well  as 

M  Doctors  are  not 
going  to  do  this  on 
their  own.  Hospitals  have 
to  pay  for  them  to  acquire 
it,  and  payers  have  to 
provide  incentives  for 
them  to  use  it. 

HARVARD  MEDICAL  SCHOOL  AND . 

BEIH  ISRAEL  DEACONESS  MEIKAL  CENTFR 


w  ith  some  U.S.  Department  of  Defense 
medical  facilities.  But  VA  San  Diego 
can't  exchange  data  w  ith  non-VA  health 
care  providers  that  its  patients  use. 

The  Duke  University  Health  System 
has  integrated  the  data  from  its  dispa¬ 
rate  systems  to  create  a  unified  EMR 
system.  CIO  Asif  Ahmad  say  s  the  ben¬ 
efits  have  been  worth  the  considerable 
effort  involved.  The  hospital  is  using 
business  intelligence  tools  to  comb 
through  clinical  data  in  an  effort  to  im¬ 
prove  the  quality  of  patient  care  and  is 
using  predictive  analytics  to  help  avoid 
potentially  adverse  reactions  to  drugs 
and  improve  patient  safety.  But  it  is  not 
yet  sharing  health  care  record  data  out¬ 
side  of  its  ow  n  provider  network. 

SHOW  ME  THE  MONEY 

The  lack  of  consistent  standards  and 
the  plethora  of  proprietary  vendor  of¬ 
ferings  contribute  to  the  problem,  but 
those  issues  are  slowly  being  resolved. 
Improving  interoperability  will  make 
building  an  EMR  infrastructure  and 
EHR  exchanges  easier  and  cheaper,  but 
it  won't  solve  the  incentive  problem. 

First,  there  are  the  upfront  costs  for 
getting  all  practices  on  EMR  systems. 
Leavitt  says  the  typical  cost  of  such  a 
system  ranges  from  SI5.0IIO  to  S50.000 
per  doctor.  “Smaller  practices  can't 

"Doctors  are  not  going  to  do  this  cm 
their  own."  says  Halamka.  “Hospitals 
have  to  pay  for  them  to  acquire  it.  and 
payers  have  to  provide  incentives  for 


pretation  of  the  Stark  Law  —  federal 
legislation  that  prohibits  doctors  from 
receiving  subsidies  from  institutions  to 
which  they  refer  patients  —  hospitals 
can  subsidize  up  to  K5"..  of  nonhardwarc 
implementation  costs  for  private  prac- 


But  although  Beth  Israel  Deaeoness 
has  made  ir  a  policy  to  offer  EHRs  to 
nonemployee  doctors,  many  hospitals, 
faced  with  tight  budgets,  are  unlikely 
to  fund  such  programs  without  an  eco- 
Continucd  on  page  M 


DOCTORS 
RJSH  BACK 

Cost  isn’t  the  only  reason  why 
doctors  may  object  to  using  elec¬ 
tronic  medical  records  systems. 

Most  commercial  products  in 
use  today  weren't  built  by  clini¬ 
cians,  and  some  have  faced 
doctor  pushback.  “Top-down  ef¬ 
forts  to  create  electronic  hearth 
records  often  run  into  resis¬ 
tance”  -  and  even  open  rebellion 
among  doctors,  says  Robert 
Smith,  associate  chief  of  staff  for 
hearth  care  analysis  at  the  Vet¬ 
erans  Administration  San  Diego 
Health  Care  System. 

Shaun  Grannis,  medical  in¬ 
formatics  researcher  at  the 
Regenstrief  Institute,  says  the 
user  interfaces  in  commercial 
products  often  lack  flexibility  and 
don't  always  present  information 
the  way  doctors  need  to  see  it. 

“In  my  electronic  medical 
records  system,  it  takes  seven 
mouse  clicks  to  place  a  prescrip¬ 
tion  for  my  patients.  That's  too 
many,”  he  says. 

Grannis  also  would  like  to 
be  able  to  view  and  change  a 
patient's  medications  and  di¬ 
agnoses  from  the  same  screen, 
but  the  systems  aren’t  flexible 
enough  to  allow  that.  He'd  like  to 
see  a  fully  customizable,  widget- 
style  user  interface  like  iGoogle's 
so  a  doctor  could  arrange  differ¬ 
ent  health  information  widgets 
and  resize  and  reorder  them 
on  the  same  screen.  "I'd  like  to 
decide  how  I'm  going  to  interface 
with  the  system,  not  the  other 
way  around,”  he  says. 

Smith  agrees  that  it  may  be  less 
efficient  to  “mouse  around”  on 
electronic  forms  than  it  is  to  use 
paper.  But  it  physicians  can  get 
over  that,  efficiencies  in  decision 
support  and  structured  reviews 
of  information  such  as  lab  and 
radiology  results  make  electronic 
record  systems  worthwhile.  The 
key,  he  says,  is  to  tailor  the  sys¬ 
tems  to  the  physicians'  needs. 

-  ROBERT  L.  MITCHELL 


C0MPUTERW0RLD 


K  COVER  STORY 


HEALTH  INFORMATION  EXCHANGES 

A  national  electronic  health  record  ex-  handling,  storage  and  routing  have  been 
change  is  tar  from  a  reality,  but  a  few  lo-  enough  for  member  hospitals  to  consider 
cal  health  care  exchanges  have  emerged  funding  the  project  on  an  ongoing  basis, 
in  the  U.S.  These  allow  member  provider  says  John  Halamka.  CEO  of  MA-SHARE. 
organizations  to  share  electronic  health  The  key  to  success  has  been  grant 
record  data,  giving  physicians  a  unified  funding  and  contributions  from  large 
view  of  a  patient’s  medical  history.  health  care  organizations.  Such  local 

The  Massachusetts  Health  Data  Con-  information-exchange  efforts  may  ul- 
sortium  has  organized  a  regional  health  timately  succeed,  but  a  national  health 
information  sharing  initiative  called  information  exchange  can’t  be  funded  by 

MA-SHARE  (for  “Simplifying  Health  Care  local  stakeholders,  Halamka  says. 
Among  Regional  Entities").  MA-SHARE  The  Regenstrief  Institute’s  electronic 
has  created  two  exchanges.  The  first  was  medical  records  system  aggregates  data 

an  e-prescribing  gateway  between  two  on  6  million  patients  from  34  providers 
Boston-area  hospitals.  The  second  enables  and  allows  a  doctor  to  view  all  data  for  a 

several  providers  to  share  patient  discharge  given  patient  in  a  single,  virtual  record, 

and  emergency  room  summaries.  The  Rather  than  forcing  each  provider  to 
cost  savings  from  eliminating  paper  change  its  data  format,  the  institute 


provides  the  middleware  to  convert  ev¬ 
erything  into  a  common  format. 

The  Regenstrief  Institute  contributes 
S2.8  million  of  the  annual  S19.5  million 
budget;  the  balance  is  largely  funded  by 
federal  grants,  although  some  funding 
comes  from  local  health  care  institutions. 
The  organization  has  also  procured  ongo¬ 
ing  funding  for  related  services.  For  ex¬ 
ample,  the  exchange  creates  a  repository 
of  health  data  that  the  institute  has  mined 
to  create  a  system  for  alerting  public 
health  officials  fo  disease  outbreaks. 

But  getting  health  care  providers  to 
lay  their  dollars  on  the  line  has  been 
a  tough  sell,  says  medical  informatics 
researcher  Shaun  Grannis.  “They're  just 
beginning  to  understand  the  value  of  a 
system  like  this,”  he  says. 


Continued  from  pane  31 
nomic  incentive  to  do  so. 

There  are  secondary  costs  as  well. 
Staffers  must  learn  a  new  EMR  system 
and  often  must  change  their  business 
practices  to  accommodate  the  way  it 
works.  In  some  cases,  the  implemenla- 

months  and  cut  hack  the  number  of 
patient  visits  by  as  much  as  50%,  says 
Grannis.  “That’s  a  big  barrier  to  face. 
And  they’re  not  computer  scientists, 
so  it's  a  strange  new  world,"  he  says. 
While  practices  do  see  some  savings 
by  reducing  costs  in  areas  such  as  fil¬ 
ing,  “none  of  these  value  propositions 
are  home  runs,"  says  Grannis. 

HL7's  laffe  says  that  if  the  market 
isn't  providing  incentives  to  doctors  to 
make  the  transition,  the  government 
should  do  so  in  order  to  improve  public 
heath.  “In  the  U.S..  Ithe  government] 
has  budgeted  S75  million  for  health 
care  IT.  In  England,  it's  L'l  billion.  It’s 
disheartening,"  he  says. 

The  U.S.  Department  of  Health  and 
Human  Services  does  have  one  small 
program  under  way.  In  what  project 
officer  Jodi  Blau  calls  a  “pay  for  per¬ 
formance  demonstration,"  the  Centers 
for  Medicare  &  Medicaid  Services 
are  in  the  process  of  recruiting  2,400 
practice-',  in  12  locations  this  year  to 
participate  in  a  study.  Physicians  can 
earn  up  to  S5K.000  —  group  practices 


34  COMPUTERWORlD  |ri  V  14.  211(18 


the  course  of  the  five-year  program  bv 
demonstrating  improvements  in  patient 
care  asa  result  of  having  implemented 
EMR  systems.  “We  believe  the  incen¬ 
tives  are  substantial  enough  to  reduce 

However,  there  are  921,904  physi¬ 
cians,  723,118  practices  and  5,756 
hospitals  in  the  U.S.,  according  to  the 
American  Medical  Association  and  the 

those  numbers,  it’s  not  clear  that  the  in¬ 
centive  program  will  enable  the  indus¬ 
try  to  meet  President  Bush’s  stated  goal 
that  it  provide  most  Americans  with 
interoperable  EHRs  by  2014. 

BROKERED  SOLUTION 

EMR  systems  and  met  the  standards 
for  interoperability,  more  regional 
exchanges  —  and  even  national  in¬ 
formation  exchanges  —  could  start  to 
develop.  “A  hospital  in  Miami  could 
contact  a  hospital  in  San  Diego  and  do 
some  sort  of  exchange.  That’s  in  the 
ideal  world.”  says  Blau. 

unresolved.  Grannis  says  Regenstrief 
is  working  to  find  a  sustainable  eco¬ 
nomic  model  for  health  information 
exchanges  by  providing  value-added 
services  beyond  basic  health-record 
sharing.  For  example,  the  institute  has 


received  separate,  ongoing  funding 

exchange  to  quickly  identify  disease 
outbreaks  (see  story,  page  16).  But 
today.  Grannis  acknowledges,  the  ex¬ 
change  still  depends  on  “a  patchwork 
of  funding." 

He  says  he  thinks  that  efforts  by- 
Microsoft  Corp..  Google  Inc.  and  oth¬ 
ers  to  build  personal  health  record 
repositories  —  Web-based  services 
where  individuals  can  aggregate  health 
records  from  multiple  providers  and 
add  their  own  data  —  will  put  pressure 
on  the  industry  to  embrace  EMRs.  But 
it  will  be  too  complicated  and  costly 
for  providers  to  establish  bidirectional 
■transfers  with  every  other  provider.  Ex¬ 
changes  such  as  the  one  in  Indianapolis 
'  will  be  required,  and  to  assuage  com- 
petitive  concerns,  neutral  third  parties 
will  need  to  step  in  to  manage  those 
exchanges,  Grannis  says. 

That's  the  tack  taken  with  the  non¬ 
profit  Massachusetts  Health  Data 
Consortium’s  MA-SHARE  program.  It 
enables  the  exchange  of  clinical  docu¬ 
ment  summaries  and  e-prescribing 
data  among  17  hospitals,  using  Web 
services  protocols.  But  even  in  Mas¬ 
sachusetts,  with  its  many  advanced 
teaching  hospitals,  50°ii  of  doctors  still 
don’t  use  EMRs,  and  Halamka's  nir¬ 
vana  of  consolidated  EHRs  that  follow 
!  the  patient  remains  a  distant  vision.  ■ 


SOFTWARE  ■ 


Quality  Over  Quantity 


This  drug  firm’s  approach  to  application 
support  uses  more  service-level  metrics 
ana  fewer  vendors.  By  Mary  K.  Pratt 


Johnsons  Johnson  Pharmaceutical  Mcitesa30%reductioninap- 

Research  S  Development  LLC  in  ■  plication  support  costs.  II  had  saveo 
.  performs  RSOwodt  for  Sl75m*ionasof2006.iMlhanad* 


Rick  franckowiak 
and  his  staff  were 
facing  rising  costs 
for  application- 
support  services  that,  de- 


ing  increasing  complex,  im¬ 
portant  and  costly,  says  Bob 
Igou,  an  analyst  at  Gartner 
Inc.  “IT  organizations  are 
highly  challenged  to  free  up 


bucks  to  get  software  sup¬ 
port,  and  they’re  engaging 
with  their  vendors  and  say¬ 
ing,  ’What  are  we  getting  for 
this  money?'  ”  Igou  says. 

When  J&JPRD  started  the 
application-support  project. 
Franckowiak's  technology 
office  oversaw  a  portfolio 
of  more  than  90  business 
applications.  The  company 
had  five  major  vendors  pro¬ 
viding  support,  with  con¬ 
tracts  focused  on  the  num¬ 
ber  of  individual  contractors 
rather  than  overall  service 
levels,  Franckowiak  says. 

The  four-member  applica¬ 
tion  support  function  team 
started  the  project  by  exam¬ 
ining  different  approaches 


two  years,  the  team  had  to 
build  consensus  around  the 
project  within  both  the  FT 
department  and  the  busi¬ 
ness  divisions,  says  applica¬ 
tion  support  manager  Bart 
Leplae;  communication  was 
essential  to  success. 

Leplae  says  team  mem¬ 
bers  also  categorized  ap¬ 
plications  as  “gold.”  “silver” 
or  “bronze”  based  on  their 
importance  to  the  business. 
Gold  applications  require 
the  quickest  resolution 


Franckowiak  says  his 
team  also  used  the  project  to 
gradually  introduce  offshore 
services  and  to  develop  and 
implement  more  detailed 
metrics  to  measure  success 
and  customer  satisfaction. 

Despite  its  ultimate  suc¬ 
cess,  the  project  presented 
some  lessons  to  be  learned. 

For  example,  the  IT  team 


Should  We  Tell  the  Boss? 


I  loro  are  five  things  your  boss  always  wants  to  hear 
and  five  things  he  hopes  you'll  never  tell  him. 


1A  A  AS  AN  IT  professional,  you  know  the  basic 
IWlW  rules  of  office  politics,  the  simple  do’s  and 
n  tflKBMl  don’ts  that  govern  life  at  work.  Adhering 
to  these  standards  —  the  ones  that  tell  you 
to  be  proactive  and  a  team  player  —  will  help  you  keep 
your  job.  If  you  really  want  to  advance,  though,  you 
need  to  know  which  types  of  information  your  boss 
relies  on  you  to  provide.  ■  More  isn’t  necessarily  bet¬ 
ter,  however,  and  discretion  is  everything.  So,  you  also 
need  to  know  the  kinds  of  information  your  boss  never 
wants  to  hear  from  you.  ■  We  asked  a  group  of  Com- 
puterworld’s  2008  Premier  100  IT  Leaders  to  talk  about 
the  kinds  of  messages  they  need  to  hear  loud  and  clear 
from  their  employees  and  the  things  they  never,  ever 
want  to  hear.  Here’s  what  they  said. 

Five  Things  You  Should 
Always  Ted  Your  Boss 

1  THE  REAL  STORY. 

“Sugarcoating  problems,  hold¬ 
ing  back  information,  overprom¬ 
ising  and  consistently  under¬ 
delivering  are  all  reasons  why  IT  has  _ 

a  bad  reputation.  We  do  this  so  well,  YOUR  IDEAS, 

we  don’t  even  realize  there  is  a  prob-  M  “Bring  me  ide 

lem,”  says  Robert  Strickland,  senior  f  the  business,  even  if  they're 
vice  president  and  CIO  at  T-Mobile  outside  of  IT,”  says  Kumud 

USA  Inc.  in  Bellevue,  Wash.  “To  Kalia,  CIO  and  executive  vice 

lead  effectively,  I  need  the  complete  president  of  customer  operations  for 

picture,  as  do  our  customers  and  our  Toronto-based  Direct  Energy, 


|  suppliers.  When  information  is  with¬ 
held,  you  are  protecting  no  one.” 
Neal  Puff,  CIO  for  Arizona’s  Yuma 
I  County,  agrees,  but  with  the  caveat 
|  that  this  is  not  a  license  to  vent. 

“People  sometimes  confuse  the  truth 
I  with  their  opinion,"  he  says. 


tegrated  energy  company  and  part  of 
Centrica  PLC. 

Sounds  simple  enough,  but  Kalia 
says  workers  are  often  reluctant  to 
do  this,  thinking  they  have  to  go 
through  established  chains  of  com¬ 
mand.  But  that’s  not  necessarily  the 
case.  Bringing  ideas  straight  to  the 
top  can  help  get  initiatives  going. 

“I  can  help  get  things  launched  and 
broker  the  appropriate  conversa¬ 
tions,”  Kalia  says. 


3  WHAT  YOU  WANT. 

Ted  Maulucci,  CIO  at  Tridel 
Corp.,  a  condominium  de¬ 
veloper  in  Toronto,  tries  to 
shift  his  workers  into  the  jobs  that 
they  would  enjoy  most.  It  helps  with 
employee  retention,  morale  and  pro¬ 
ductivity. 

He  points  to  one  employee  who 
loves  working  on  hardware  so  much, 
he’ll  come  in  at  3  a.m.  to  tackle  a  new 
project. 

That’s  why  Maulucci  wants  to 
hear  what  his  staffers  want  from 
their  jobs  and  for  their  futures. 


4  NO. 

It  takes  courage  to  tell  the 
boss  that  you  don’t  agree, 
but  it’s  better  for  all  involved 
when  you  say  no  to  suggested  proj- 


ects,  timelines,  budgets  or  technolo¬ 
gies  that  just  aren’t  going  to  work, 
says  Michael  F.  Williams,  executive 
director  of  IT  for  the  Immune  Toler¬ 
ance  Network  of  the  Diabetes  Center 
at  the  University  of  California,  San 
Francisco,  and  CIO  for  the  Depart¬ 
ment  of  Neurology's  Epilepsy 
Phenome/Genome  Project. 

But  saying  no  to  ill-conceived 
ideas  isn’t  the  same  as  obstructing 
an  entire  project.  “After  you  say  no, 
don’t  make  it  impossible,”  Williams 
says.  "You  have  to  provide  various 


help  the  organization  and  its  staffers 
do  their  jobs  better. 

"You  bring  so  much  more  cred¬ 
ibility  to  the  discussion  when  you’re 
presenting  technology  in  the  context 
of  business,"  he  says. 

2  THAT  THERE’S  ONLY  ONE 
SOLUTION. 

“People  can  sometimes  de¬ 
velop  a  fondness  for  a  certain 
technology  or  programming  lan¬ 
guage  or  manufacturer  into  almost  a 


chnology  can  I  you  point  a  finger,  b« 


“I  want  a  team  that  works  together 
and  not  one  that’s  political  and  if  I 
see  it  happening,  then  I  think  people 
are  trying  to  score  points,”  says 
Kalia. 

Of  course,  there  are  times  when 
you  need  to  discuss  personnel  issues 
with  your  boss.  For  example.  Kalia 
wants  to  know  from  managers  when 
workers  are  thinking  of  leaving. 


vice  president  and  CIO  at  Midwes 
Independent  Transmission  Systen 
Operator  in  Carmel.  Ind. 

Joseph  J.  Tufano,  vice  president 
and  CIO  at  St.  John's  University  in 
New  York,  agrees,  saying  IT  worki 


I  SECURITY  MANAGER’S  JOURNAL  C.J.  KELLY 


Shoveling  Sand 
Against  tne  Tide 

The  frustrations  of  slashed  budgets  and 
inadequate  manpower  come  to  a  head. 
Is  it  time  for  a  change? 


Trouble 

Ticket 

AT  ISSUE:  The  frustra¬ 
tions  of  working  without 
enough  resources  are 
mounting. 

ACTIOM  PUN:  Consider 
available  options,  includ¬ 
ing  jumping  ship  for  the 
private  sector. 


that  one  of  our  pri¬ 
mary  Web  sites 
was  not  properly 


the  idea  that  people  had 
been  submitting  confiden¬ 
tial  information  without 
the  proper  security  in 
place  made  me  shaky.  Still, 
I  wasn't  about  to  chastise 


personally  identifiable 
information,  including 
Social  Security  number, 
name  and  address.  This 


monitor  those  logs  full 
time  or  separate  the  false 
positives  so  that  the  system 
is  a  truly  worthwhile  tool 
for  identifying  events  that 


wonder  whether  the  grass 
is  greener  on  the  other  side 
—  in  the  private  sector, 


the  Web  site.  But  we  had  to 

SXtfiSSr.  ■Thesmiationisa 

referral  to  the  correct  page  l®C|Pe  TOT  disaster 

each  time  someone  tried  to  WTUlOUt  end.  And 
access  the  old  domain  pag-  when  OM  disaster 

es.  A  few  important  pages  hits  after  another, 

had  been  missed  when  the  you  can't  help  but 

changeover  occurred.  f™.  *?" 1 ekllEv™, 

It  took  only  half  an  hour  J®**  “J®1  “*®»®  5  1,0 

to  correct  the  problem,  but  hope  in  Sight. 


LOSING  HOPE 

The  entire  situation  is  a 
recipe  for  disaster  with  no 
end  in  sight  And  when  one 
disaster  hits  after  another, 
you  can't  help  but  feel  that 
there’s  no  hope  in  sight. 

Our  slashed  budgets  are 
being  cut  again,  and  even 
future  budgets  are  being 
trimmed  as  the  economy 


who  could  explain  in  plain 
English  to  C-level  execu¬ 
tives  why  they  need  secu¬ 
rity  technology. 

I’m  seriously  thinking 
about  it.  ■ 

This  week’s  journal  is  writ¬ 
ten  by  a  real  security  man¬ 
ager,  “CJ.  Kelly, "  whose 
name  and  employer  have 
been  disguised  for  obvious 
reasons.  Contact  her  at 
mscjkelly@yahoo.com. 


Are  you  being 
paid  what 
you’re  worth? 


WE  WANT  TO  KNOW! 

HELP  US  BY  PARTICIPATING  IN  OUR 
22ND  ANNUAL  SALARY  SURVEY. 


How  much  are  other 
IT  professionals  with 
your  experience  and 
credentials  earning? 

With  help  from  you  and  your 
IT  colleagues  across  the 
country,  Computerworld  will 
answer  that  question  when  we 
deliver  the  results  from  our 
22nd  Annual  Salary  Survey. 


Survey  results  and  feature  stories 
offering  practical  career  advice  will 
be  published  in  the  Nov.  10, 2008, 
issue  of  Computerworld.  We’ll  provide 
detailed  information  on  average 
salaries  and  bonuses,  broken  out  by 
title,  industry  and  region.  You’ll  be 
able  to  compare  your  organization’s 
compensation  plans  with  those  of 
other  companies  and  find  the  hottest 
areas  of  the  country  for  IT  pay. 


TAKE  THE 
SURVEY  NOW! 
YOU  COULD  WIN 
A  SONY  8-INCH 
PORTABLE  DVD 
PLAYER! 


SURVEY  PERIOD  CLOSES 
AT  5  P.M.  EASTERN  TIME 
ON  JULY  18. 


^s/.' 


'aul  (lien 


How  to  Get  Value 
From  Outsiders 


the  value  you  want.  Then 
ask  yourself  four  questions 
about  the  relationship: 

■  Is  that  really  what  I 


HIS  SUMMER  marks  my  20th  year  as  an  IT  over  time? 

consultant.  I’ve  been  fortunate  enough  to  work  want^ssur^ing^ 
with  more  than  100  companies,  big  and  small,  if  you  can  get  everyon< 

public  and  private,  on  three  continents.  ^™^a‘"^°iect  to 

I’ve  had  the  opportunity  to  observe  how  organizations  in  less  than  an  h 

derive  value  from  outsiders,  and  how  those  relationships  can  su^s^  it,s  ^ 

enhance  effectiveness  and  at  the  tactical  level.  feet  his  response.  clients  skip  this 

be  cost-efficient.  I’ve  also  Each  label  can  have  posi-  Unfortunately,  language  pletely.  Everyon 

seen  that  they  can  be  use-  tive  or  negative  emotional  also  changes  over  time.  that  they  know  ■ 

less  or  even  destructive.  connotations  for  provid-  The  meanings  of  these  want  and  that  ev 

There  are  probably  few  ers  and  clients,  and  those  words  evolve,  making  it  wants  the  same 


often  requires  par¬ 
ticipating  in  a  fin- 


iate  about  how  you  wan 
a  relationship  to  benefit 
you  and  your  organizati 
is  not  a  simple  task.  Just 


the  award-winnii 
Leading  Geeks:  1 
Manage  and  Lead  People 
Who  Deliver  Technology 
(Jossey-Bass,  2003).  Contact 
him  at  infb@paulglen.com. 


MARKETPLACE 


Has  your  power  hungry  data  center 
become  a  to  manage? 


Are  you  ready  lo  take  control’ 

www.powerware.com/ePDU 


877.785.4994 


F.T»N 


Powerware 


PI  LIZZ 1 


SAPped  Workforce 


For  tho  seventh  consecutive  quarter,  Foote  Partners  LLC's  Pay 
Index  shows  that  the  average  pay  for  a  large  group  of  IT  certifications 
declined,  falling  1.6%  in  the  six  months  that  ended  April  1.  But  salaries 
for  a  similarly  large  group  of  noncertified  skills  have  continued  to  ad¬ 
vance  for  an  even  longer  period,  since  mid-2005.  That  group  of  164 
skills  saw  salaries  rise  nearly  2%  over  the  same  six-month  period. 

Foote  Partners  notes  that  the  increase  in  pay  for  noncertified  skills  is 
due  in  no  small  part  to  competition  for  IT  professionals  with  experience 
in  various  SAP  applications.  David  Foote.  CEO  and  chief  research  of¬ 
ficer  of  the  Veto  Beach.  Fla.,  firm,  said  in  a  press  release  that  SAP  has 
"caused  skills  and  labor  shortages  that  have  gripped  sizable  segments 
of  the  employment  maiket  in  North  America  and  around  the  world  and 
created  some  nasty  supply  and  demand  fluctuations.' 


Only  one  SAP  skill  is  among  the  top  five  for  average  pay  increases 
over  the  most  recent  six-month  period,  but  eight  are  in  the  top  25. 


Don’t  Stress  Out 
About  Calling  In  Sick 


THE  BIG  GAINERS 


•V  Employers  in  both  the  U.K.  and  Australia  are 
m  looking  at  voice  analysis  technology  that  they 
Mm  think  could  help  reduce  absenteeism.  The 

Km  technology  makes  thousands  of  checks  on  a  voice  in 
the  course  of  a  telephone  call.  A  tool  called  Voice  Risk 
Analysis,  developed  by  Nemesysco  Ltd.  and  DigiLog  UK 
Ltd.,  has  been  used  to  reduce  benefits  fraud  in  the  U.K.:  A  North 
London  borough,  for  example,  saved  £420.000  ($832.837 U  S.) 

in  false  claims  during  a  product  trial.  The  tool  listens  in  on  calls  and 
prompts  the  manager  if  it  detects  changes  in  the  caller's  voice  that 

suggest  he  is  under  stress,  a  possible  indication  that  he  is  tying. 
Susan  Anderson,  personnel  policy  chief  at  the  Confederation  of 


British  Industry,  was  quoted  inaMayMMai/ Online  story  as  saying 
that  “pulling  a  sickie"  (or.  in  another  bit  of  British  slang .  “swinging 
the  lead")  costs  U.K.  businesses  £1.6  billion  ($3.17  billion)  annualy 


keep  up  with  the  co*t  offering.  By 


SharkTank 

TRUE  TALES  OF  IT  LIFE  AS  TOLD  TO  SHARKY 


Try,  Try  Again 

Hospital  IT  help  desk  gets 
a  call  from  nurses  in  the 
clinic  who  say  they're  having 
trouble  adding  paper  to  their 
laser  printer.  "They  told  the 
tech  that  the  eject  button  for 
the  paper  tray  was  not  work¬ 
ing  property,"  says  a  pilot  fish 
there.  “Since  H  didn't  eject 
the  paper  tray  when  it  was 
pushed  the  first  time,  they 
pushed  it  harder  a  number 
of  times,  and  now  there  was 
no  power  to  the  printer."  But 
the  tech  is  puzzled.  There's 
an  identical  printer  in  the  IT 
offices  and  it  has  no  eject 
button  -  to  add  paper,  you 
just  slide  out  the  paper  tray.  A 
quick  trip  to  the  clinic  solves 
the  mystery:  The  printer’s 
power  switch  has  been 


jammed  completely  into  the 
case.  Says  hsh.  “The  nurse 
on-site  swore  that  she  always 
had  to  push  this  ‘eject  but¬ 
ton'  to  release  the  paper  tray 
to  load  paper  -  and  she  had 
trained  quite  a  few  others  to 
do  the  same.  When  the  tech 
calmly  explained  that  was  the 
power  switch  and  now  the 
printer  was  definitely  broken, 
the  nurse's  reply  was.  ‘Can't 
you  just  swap  it  with  a  spare 
one  you  have  somewhere?' " 

Pop  Quiz 

This  support  pilot  fish  divides 
users  into  two  groups:  those 
who  can  help  him  diagnose 
a  problem,  and  those  who 
lead  him  down  a  rathole  if  he 
believes  anything  they  say. 
And  he  finds  that  a  few  test 


questions  can  usually  identify 
which  is  which.  Case  in  point: 
a  user  who  says  that  since 
she  got  a  wireless  mouse,  her 


starts  her  home  PC.  Fish:  Are 
the  cables  plugged  firmly  into 
computer  and  monitor?  User: 
“Yes."  Are  the  power  cords 
plugged  into  a  multiple-outlet 
strip?  "Yes."  Are  there  sepa¬ 
rate  power  switches  for  the 
computer,  monitor . . .  "Yes, 
yes." ...  The  keyboard  and 
mouse,  too?  “Yes.  yes,  yes, 
yes!"  Are  the  power  switches 


for  the  keyboard  and  mouse 
turned  on?  "Yes'"  Sighs  hsh. 
‘She  failed  the  test.  I  told  her. 
'Well,  I’m  not  quite  sure  what 
the  problem  is.  Why  don’t  you 
try  plugging  in  a  standard 
mouse  and  call  me  back 


Oops! 

Desktop  tech  is  upgrading 
users  to  new  laptops  and 
transfers  this  user's  data  to  a 
new  machine,  reports  a  pilot 


fish  on  the  so 
the  old  laptop,  which  is  three 
years  old.  with  her  in  case 
there  are  hies  she  forgot  to 
request  be  moved,"  fish  says. 
But  two  weeks  later,  when 
it's  time  to  collect  the  old 
machines,  there's  a  problem. 
“The  tech  calls  to  make  ar¬ 
rangements  to  pick  up  the 
laptop."  says  hsh. ‘She  tells 
him  that  she  donated  it  to  her 
favorite  charity.  He  asks  why 
and  she  says  that  since  he 
left  it  with  her.  she  thought 
he  wanted  her  to  take  care  of 
disposal." 

■  Sharky  will  gladly  take 
that  true  tale  of  IT  life  off 
your  hands.  Send  it  to  me  at 
sharky@computerworld.com. 
You'll  score  a  sharp  Shark  shirt 


■  FRANKLY  SPEAKING 

Frank  Hayes 

Fix  DNS  Now 


TF  YOU’RE  a  hard-core  IT  security  wonk,  you  already 
know  about  this.  If  not,  go  to  Doxpara.com  right  now 
and  click  on  the  button  that  says  “Check  my  DNS.”  That 
will  run  a  simple  test  to  tell  you  whether  your  name 
server  appears  to  be  vulnerable  to  DNS  cache  poisoning. 

No,  really  —  right  away.  Doxpara.com.  Go.  Now.  We’ll  wait. 

thing  on  the  Internet  is  at  i  the  same  time  (see  story, 
risk  if  an  attacker  takes  page  12).  Microsoft.  Cisco, 
over  the  DNS.  |  AT&T.  Sun.  Red  Hat.  The 

How  do  you  fix  a  fun¬ 
damental  design  flaw  that 
affects  the  entire  Internet? 

Answer:  You  can’t.  So  you 
don’t.  Instead,  you  find  a 
way  to  make  the  design 
flaw  much,  much  harder 
to  exploit. 

Kaminsky  contacted 
Paul  Vixie,  who  has  been 
responsible  for  the  BIND 
DNS  server  since  1988. 

Vixie  called  together 
the  top  DNS  experts. 

In  March,  they  secretly 
started  work  on  the  job 
of  patching  every  major 
DNS  implementation.  Not 
with  a  fix  —  that  would  be 
impossible  —  but  with  a 
work-around. 

On  July  8,  they  all 
rolled  out  their  patches  at 


Did  the  test  say  that 
you’re  vulnerable?  Then 
you’ve  got  work  to  do. 

Did  it  say  that  you’re 
not?  You’ve  still  got  work 
to  do. 

Here’s  why:  Early  this 
year,  security  researcher 
Dan  Kaminsky  discov¬ 
ered  a  design  flaw  in 
the  Internet’s  Domain 
Name  System,  which 
translates  names  like 
Computerworld.com 
into  IP  addresses  such  as 
65.22U10.98. 

Kaminsky  didn’t  find 
a  bug  in  one  DNS  imple¬ 
mentation.  He  found 
a  vulnerability  that’s 
designed  into  every 
DNS  server.  That’s  right 
—  they’re  all  broken. 
Microsoft’s  version.  And 
Cisco’s.  And  BIND,  which 
is  widely  used  on  Unix 
and  Linux  servers. 

The  design  flaw  allows 
an  attacker  to  hijack  do¬ 
main  names.  Put  simply,  a 
victim  would  never  know 
where  the  Internet  was 
taking  him.  E-mail  could 
be  redirected.  Web  sites 
could  be  spoofed.  Every- 


■  This  is  not 
‘a  patch’ to  fix 
‘a  bug.’ This  is  a 
wake-up  call  for 
virtually  the  whole 
FT  industry. 


BIND  guys.  Everybody. 

This  is  not  “a  patch” 
to  fix  “a  bug.”  This  is  a 
wake-up  call  for  virtually 
the  whole  IT  industry. 
The  entire  Internet  needs 
fixing.  Yes,  right  now. 

And  that  includes  every 
corporate  network  and 
every  ISP. 

Here’s  the  good  news: 
Because  the  flaw  Kamin¬ 
sky  discovered  is  so  baked 
into  DNS,  because  it  lit¬ 
erally  can’t  be  fixed,  the 
only  good  way  to  block  it 
is  to  make  it  really  hard 
for  attackers  to  do  any¬ 
thing  bad  to  a  DNS  server. 
That’s  what  last  week’s 
patches  do. 

As  a  result,  those 
patches  protect  you  not 
only  from  the  design  flaw 
Kaminsky  discovered, 
but  also  from  lots  of 
other  bugs  that  have  been 
found  over  the  years 
—  and  from  bugs  that 
haven't  yet  been  discov¬ 
ered.  It's  the  biggest  and 
most  effective  Internet 


security  fix  ever. 

You  want  these  patches 
on  your  DNS  servers.  You 
need  them.  If  you’re  a  CIO 
or  an  IT  manager  and  you 
failed  that  test  at  Doxpara.- 
com,  you  should  start  ask¬ 
ing  your  networking  guys 
when  you’ll  no  longer  be 
vulnerable. 

If  you  didn’t  fail  the 
test,  don’t  get  cocky.  Sure, 
the  DNS  server  you’re 
using  is  good.  But  are  all 
of  your  network’s  DNS 
servers  safe?  What  about 
the  DNS  servers  of  ISPs 
that  your  users  connect  to 
when  they’re  on  the  road 
or  working  from  home? 
What  about  business 
partners  who  connect  to 
your  systems  across  the 
Internet?  They  all  need 
fixing. 

And  it  won’t  all  be  as 
simple  as  testing  and 
installing  patches.  Some 
older  DNS  servers  haven’t 
been  patched.  They’ll 
need  upgrades.  Yahoo, 
for  example,  uses  BIND 
Version  8.  There’s  no 
patch  for  that,  so  Yahoo  is 
upgrading  its  entire  infra¬ 
structure. 

See?  There’s  work  to  do. 
Get  to  it.  Now.  Don’t  wait 
for  the  bad  guys  to  figure 
out  how  to  exploit  this 
DNS  flaw. 

Because  once  they  do, 
they  won’t  wait  for  you.  ■ 
Frank  Hayas  is  Computer- 
world’s  senior  news 
columnist.  Contact  him 
at  frank_hayes@ 
computerworld.com. 


The  fastest  way  to  have  a  connected  workplace. 


Work  with  InterSystems  Ensemble®  software  to  raise 
productivity  and  lower  costs. 

Ensemble  is  a  rapid  integration  and  development 
platform  that  makes  it  much  easier  to  connect  applications, 
processes,  and  people.  IT  managers  who  have  switched 
from  other  integration  products  report  they  can  finish 
projects  in  half  the  time  with  Ensemble. 

For  your  future  development  efforts,  if  you  embed 
Ensemble  you  can  create  a  new  class  of  applications  that 
are  connectable.  Plus,  you’ll  be  able  to  enhance  legacy 
applications  with  adaptable  workflow,  browser-based  user 


interfaces,  rules-based  business  processes,  dashboards, 
and  other  innovations  -  without  rewriting  your  code. 

Ensemble’s  technology  stack  includes  the  world's 
fastest  object  database  -  InterSystems  Cache®.  Cache's 
lightning  speed,  massive  scalability,  and  rapid  development 
environment  give  Ensemble  unmatched  capabilities. 

For  30  years,  we’ve  been  a  creative  technology 
partner  for  leading  enterprises  that  rely  on  the  high 
performance  of  our  products.  Ensemble  and  Cache  are 
so  reliable  that  the  world's  best  hospitals  use  them  for 
life-or-death  systems. 


IfflERSMMS 


Sec  product  < 


is  at  InterSystems.com/Connectl6A 


To  learn 


ill  1-888-277-9618  or  visit  hp.com/go/BeReady36 


